Jean-Christophe PRAUD
302 route de la Planche
74140 Veigy-Foncenex
France
CISO, Cyber-security Consultant
--
https://www.linkedin.com/in/jcpraud
French
Married-
CISSP
I am an experienced IT security specialist, with almost 30 years working at various IT positions, including
10 years as CISO or cybersecurity consultant. My experience is technical, having worked as a software
engineer, system and network administrator, DBA, security systems administrator, application security
engineer and pentester. I have also an experience in team and transverse management, as well as in
security governance, compliance and IT risk management.
Senior Cyber Security Consultant
Since September 2019
Serma NES (mission for one of the main French banks)
Security Service Provider, Paris
Main responsibilities
Ensure the compliance of all IT services and functions with the Group security requirements.
Produce reports and dashboards giving a view of the status of this compliance.
Produce reports and dashboards for the IT Group top management.
Propose solutions to improve the IT security of the Group.
Analyse IT security risks.
Analyse the gap and propose the roadmap for regulatory compliance: NIST, GDPR, LPM, banking regulations
(about 180 for all the countries where the Group operates).
Sharepoint security and best practices.
Results
IT security procedures, reports and dashboards.
Proofs to be presented to compliance auditors.
IT risk analysis reports.
Gap analysis and security roadmaps.
CISO
Almerys / BE KORTALYS
2017 – 2019
Health Compensation Operator, Clermont-Ferrand, France
Main responsibilities
Chief Information Security Officer for the whole Group: France, Tunisia, Romania, Madagascar.
Security team manager: SOC, security auditors and pentesters.
Security crisis and incidents management.
Implementation and run of an ISO 27001 certified ISMS: datacenter and SOC perimeter.
Implementation and run of an ISO 22301 certified BCMS, for the IT security part and as deputy BCCM.
Information security policies, processes and procedures definition and implementation.
IT risks management: EBIOS methodology, ISO 27005 framework.
Compliance with GDPR, HDS (French health data hosting regulation), ISAE 3402, eIDAS, customers
security requirements (health insurance companies, law organizations).
Setup of the activities for external customers.
Results
ISO 27001 and 22301 certifications.
Information security policies, processes and procedures.
Action plans for IT security compliance and support.
HDS agreements and certifications on several perimeters (cloud, health services).
eIDAS certification of the Group’s PKI.
IT security crisis solving.
Ensuring the security of PII and health data of 23 millions people, clients of 150 health insurance
companies, including those of the French ministries of Interior and of Defense, and high profile
personalities such as strategic civil servants, French government members and the President of the
French Republic.
Ensuring the security of the related financial transactions: several millions of Euro per day.
Security incidents detection and response, internal as well as external, up to state-sponsored threats.
Secure architecture blueprints: NF Z42-020 digital safe with strong cryptography and access
management. Cloud, big data and blockchain applications security.
Application Security Engineer
Almerys
2016 –2017
Health Compensation Operator, Clermont-Ferrand, France
Main responsibilities
Software architecture and code reviews
Penetration testing
Security consulting, training and coaching for software engineers.
SDLC security tools setup: CI/CD.
Integration of security in projects: waterfall, Agile, DevOps.
Risk and threats analysis on critical applications (EBIOS, STRIDE).
Results
Documents destined to the software engineers and project teams.
Security guidelines and specifications for projects.
Audit and pentest reports.
Software and infrastructure architecture blueprints.
OWASP methodology implementations: Top 10, ASVS.
Cyber-Security Consultant
Freelance
2013 – 2016
Customers in several domains: digital, law and automobile industry
Main responsibilities
IT risk management.
Consulting, audits and pentests.
IT Security: solutions and architectures definition and implementation.
IT security incidents management: detection and response, proof custody for legal actions.
Results
Audits and pentests reports.
Secure architecture blueprints.
Solutions selection.
Incident reports and proof collecting.
Encrypted email application conception and development (Datashush Technology / Lockemail co-founder).
Redesign of the IT infrastructure and networks between the sites and factories of an automobile parts producer: 4
sites in France, and 2 in Morocco and Romania.
PISO (Privacy & Information Security Officer)
F-Secure Bordeaux (ex Steek/Agematis)
2010 – 2013
Online storage platforms development and run, Bordeaux, France
Main responsibilities
End-to-end IT security management of the business unit, from conception and development to Production.
IT security incidents management.
IT risk analysis and management.
IT security consulting, audits and pentests.
Software and infrastructure security.
Application security: STRIDE threats analysis.
IT security compliance: regulations, customers requirements (worldwide telcos).
DBA, BI, IT experts and architects team management.
Results
Audits and pentests reports.
Architecture blueprints.
Methodology documents destined to projects and development teams.
Security procedures.
Proof collecting for compliance audits.
Security test scripts integrated in the SDLC toolchain.
DBA
Steek / Agematis
2006 – 2010
Online storage platforms development and run, Bordeaux, France
Main responsibilities
High volume and charge databases design and implementation: sharded PostgreSQL.
Databases security.
Load and scalability testing.
Results
Databases schemas and build scripts.
Mass loading and migration scripts.
Stored procedures.
Stress test scenarios and scripts.
Online storage platforms’ databases for more than 200 telcos, among them such as Orange, Neuf / SFR, Virgin, BT,
AT&T, Telefonica, Singtel. Frontier, Century Link.
Software engineer, System and network administrator, software architect,
consultant
1991 – 2006
Web agencies, freelance
Application design and development, and run
Main responsibilities
Applications design and development.
Systems architecture, deployment and run.
Consulting and training.
Security solutions installation and run: firewalls, antiviruses, antispam.
System and network hardening.
Results
Applications: PC & Mac, web, embedded.
Technical documentation and blueprints.
Training documentation.
Java training for IBM Bordeaux and Airbus Toulouse.
Online games for Coca-Cola France: summer festivals, 2006 Soccer World Cup.
Robert & Camborde’s information system (home delivery): Java/Mysql core application, embedded applications for
delivery/payment and logistic/picking/storage management devices, delivery tour management with path
optimization.
Web sites and applications: Bordeaux Châteaux, Quiksilver.
Minitel applications: Groupe Sud-Ouest.
Video games: Atreid Concept (Kalisto).
Technical skills
Operating systems and databases: Linux,
Windows, OpenBSD, PostgreSQL, MySQL, AS/400.
Languages and tools: Java, C/C++, Apache, Perl,
Python, assembleur.
Security: Fortinet, Palo Alto, Stormshield, Splunk,
IBM Qradar, Snort, BurpSuite, ZAP, Nessus,
OpenVAS.
Methodologies, norms and frameworks: EBIOS,
STRIDE, Agile, DevOps, ISO 27001, NIST, CIS,
ANSSI (French National Agency for Information
Systems Security), HDS (French health data hosting
regulation), French, European and international
banking regulations.
Others
B driving license
Education
2014 Master of IT Risk Management.
1991 DUT Informatique
1989 Bac D
Professional development
CISSP passed in 2013.
Pentester training, Sysdream 2013.
Contributions to the OWASP.
Languages
French: mother tongue.
English: fluent.
German: studied until 1989
